The threat landscape is never static. Is your cybersecurity risk management plan aligned with the latest threats so you can proactively manage risk? To get your cybersecurity risk management off to a good start in the new year, you’ll want to keep an eye on these top security and risk management trends for 2022, and then put a plan in place to tackle them.
Cybersecurity Trends for 2022
Ransomware has been at or near the forefront of security leaders’ minds for over a decade, but attackers have grown and changed over that time. We expect that ransomware will continue to evolve.
Some of those changes have to do with targets. In recent years, ransomware campaigns have targeted organizations on which large amounts of people depend for critical goods and services, including million-dollar ransom demands from fuel distributor Colonial Pipeline and food processor JBS USA. Ransomware attackers are also taking advantage of the supply chain by attacking companies that provide services or platforms, such as Kaseya. Compromising a supplier can give them a one-to-many advantage; in the case of Kaseya, the attack on an IT services platform provider gave them access to multiple managed service providers, and then all of their clients.
Other changes have to do with the stakes. Attacks have shifted from desktop encryptions with ransom demands in the hundreds of dollars to broader attacks with ransom demands in the millions. In addition to file encryption, attackers are threatening data dumps if ransoms are not paid. Some are even using a third level of threat, promising DDoS attacks if they fail to pay a ransom.
We expect these wider-reaching ransomware attacks to continue, particularly against critical infrastructure providers, manufacturing targets, and sectors that have a strong incentive to resolve it quickly.
Software Build Process Attacks
Modern software development requires a complex web of components, libraries, and build tools. Attackers are compromising companies who don’t ask tough questions about the security of each of those elements.
In late 2020, it was announced that attackers gained access to SolarWinds’ systems, using that access to push a malicious update to users. Sensitive government organizations and major companies who used SolarWinds became accessible by the attackers if they downloaded the attack. Malicious updates are not the only way software build process attacks can be targets. Any weakness in code, components, infrastructure, or processes can affect the build process, and therefore any customers who use the product. These can lead to both financial and reputational losses, including the loss of trust from clients who use your software or products.
Most insider threats are not malicious in intent, but their carelessness leads to compromise. These cases include employees who fall for phishing or Business Email Compromise (BEC) scams, or just inadvertently revealing credentials or sensitive information to third parties. Other insider threats are malicious, including disgruntled or fired employees, or employees who are tempted by easy money promised by threat actors. Whether malicious or careless, these incidents are expensive. Costs of insider threats are on the rise, from an average of $8.76 million in 2018 to $11.45 million in 2020, and we expect this trend to continue.
In addition to financially motivated attackers, we expect nation-state attacks to continue. Nation-states often perform or subsidize attacks to obtain intelligence or intellectual property, sway public opinion, or pressure governments. These tactics vary from sophisticated espionage to more straightforward social engineering. Russian and North Korea are leading the charge among nation-state actors, and their tools vary from bespoke tools to commodity platforms, depending on their goals. We expect that nation-state attacks will continue, and focus specifically on oil and gas, large tech and social platforms, and emerging technologies.
Between digital transformation and continued remote work, cloud adoption is expected to keep growing. The market for cloud services is expected to grow 17.5% year-over-year from 2020 through 2025. Though some companies are still wary of cloud, particularly in heavily regulated industries, business climate and customer expectations are weighing heavily toward cloud adoption, and more and more sensitive data and business functions are being trusted to the cloud.
Attackers know this. They are targeting common vulnerabilities like misconfigured storage buckets, insufficiently limited account access, and metadata services. Sophisticated groups, like nation-state attackers, are refining their tactics to take full advantage of cloud platforms and compromised accounts. We expect this focus to continue as cloud adoption grows.
Attacks Against Industrial Control Systems
Ransomware is not the only cybersecurity threat facing critical infrastructure providers. Industrial control systems are also a target, as illustrated by an attack against the water system in Oldsmar, Florida. With services such as water, electricity, and fuel provided by more and more connected devices, industrial control system attacks can have a broad impact. Either malicious or careless insiders, or persistent nation-state attackers, can take advantage of issues such as poor security configurations, compromised or overprivileged accounts, or unpatched ICS software. They can derail the supply of critical utilities as well as people’s trust in their utilities or utility providers. With increasing connectedness of industrial control systems, we expect these attacks to continue.
The Value of a Forward-Looking Risk Register
Making the right decisions for how to protect yourself against these threats, as well as the new threats that arise in 2022 and beyond, requires proactive cybersecurity risk management.
Historically, risk has been an important concept, but has been more about assumptions than about hard data. Most businesses manage their risk implicitly. Implicit risk management happens when a business aligns their controls with a compliance or best practice framework, assuming that such alignment will keep them prepared to face their actual risk. That leaves a business in a reactive state when facing risks, especially ones that their chosen framework did not anticipate.
Businesses need to shift to explicit cybersecurity risk management. This philosophy aligns controls with an actual risk target, based on real threats to the business. A risk register is an important tool for explicit risk management, but only when implemented the right way. Some businesses will call a document a risk register, when it is merely a list of vulnerabilities and risks. Lists and brainstorming are part of creating a risk register, but not the whole exercise.
A risk register needs to include actual forecasting, including creating risk scenarios, estimating the probability of that situation occurring, and estimating the loss if it were to happen. A proper risk register is also not a static document. It requires continuous evaluation, expert analysis, and adjustment based on changing threats, technologies, and risk tolerance. Doing the work to keep a forward-looking risk register will put you in the best position to be proactive about your level of risk, and to make decisions that are the most impactful for lowering your risk to tolerable levels.
Manage Your Risk in 2022
As your business moves into 2022, now is the right time to make sure your cybersecurity risk management program is ready to confront the varied and evolving threat landscape. A forward-looking risk register is a sound foundation, since it puts your business in a position of tracking the threat landscape, anticipating how it will affect you, and tailoring security controls to those risks. A core component of making that forward-looking risk register as useful as possible is to quantify your risk using FAIR, an industry-standard quantitative model for assessing cybersecurity risk.
See for yourself how quantifying cyber risk helped a rail line, who faced new regulatory requirements, develop a cost-effective remediation plan and make informed decisions about what controls and changes would do the most to reduce risk.